Mazda Switches To USB Keys

kv9 writes "The new Mazda Sassou while being 'cool and promoting a positive state of mind' has a most important feature, that every geek will love. Instead of the classic key it uses a usb flash drive for starting up. The key can also be used to transfer things like driving instructions or music to the car's hard drive."

This should be an adventure

[GecKo213]

Locksmiths everywhere will be out of business unless they start carying USB Flash drives. Won't it be fun when someone writes a program that will program all possibly key codes onto a 10 Gig flash driver or something and these cars just start dissapearing? I can't wait to be the first in line to buy one of these!

Re:This should be an adventure

[nyrk]

This already happens in a way. In high school it was pretty well known that most toyota keys would work on most toyota cars. I had a toyota pickup, and even though the keys were not the same, I was on one occasion able to enter, and start up a friend's truck. He happened to be walking on the sidewalk, and I drove past him as I was moving it to the back parking lot. That took a while to explain. Later though, he did help me when I locked my keys in my truck.
The point is, just because you see a failure mode in it doesn't mean that that he old way didn't have the a similar one

Security

[linguae]

Woohoo, my first first post

Anyways, back on topic, I think that the idea of using a USB key that holds directions and other information, as well as starting the vehicle, is a nice and innovative idea. However, the article nor the specifications state anything about where the information about starting the car is stored on the USB drive. My only potential worry about this is the failure of the USB port or computer inside of the vehicle (you can't start your car manually), and whether or not we'll see "Mazda bootkits" widely available online by crackers who now have something else to break in to.

Still, it is quite innovative.

Security for everything

[Iriel]

I guess that this system is going to have to rock solid. Otherwise, I'd hate to see the day that all these cars are shut down (or worse) by starting their car with a USB key infected with a Mazda.b worm from their PC.

"And I thought I was just loading some new tunes!"

SCIF

[Copperhead]

My office is a classified environment, and USB drives ain't allowed in the door. Where am I supposed to put my keys?

Ignition may not be in the drive

[devnullkac]

The USB drive may simply be an add-on to the "keyless" ignition of the 2004 Prius: RFID authenticates with the ignition system when in close proximity. This way you've got a neat storage doodad, but the car will still run if your virus-ridden laptop reformats the USB drive.

Re:great, another point of failure

[ari_j]

How about running over it with a grain truck when the ambient temperature is -40 (celsius or fahrenheit, your pick)? I can do that with my keys right now and they still work.

Re:This is a BAD idea.

[Jeff+DeMaagd]

Aren't there secure USB key standards, where only authenticated software can even retrieve the data? I'm sure something like that can be done.

I think it could be used to implement a "use twice" key, so that if the valets try to use it on a joyride, the owner would know.

Re:What happened to RFID?

[SFEley]

It's not an "uber-expensive" feature; my Toyota Prius has it, and the car only cost $25,000. The RFID key's not a credit card, it's a fob on my keychain, but it's extremely convenient not to have to pull anything out to unlock my car or start it.

Re:This is a BAD idea.

[99BottlesOfBeerInMyF]

Today I can borrow a key for a few hours and go get a copy made, or I can make an impression of that key in just a minute, cast a model, and spend a few hours with my dremel tool making a duplicate that may or may not be good enough. I can duplicate a USB key in just a few minutes while you're in the bathroom. This just makes it even easier for someone with common off-the-shelf technology to make a copy. It has added functionality, but it is also less reliable and may be a vector for computer viruses to infect your car. Personally, I'll stick with an old fashioned key and a hidden kill switch.

Re:What happened to RFID?

[Richy_T]

RFID really isn't expensive. Plug for the company I used to work for: Affordable RFID kits. If you call the owner, he's a great chap and happy to answer any questions you might have.

Rich

Why possession based Key?

Why are we still stuck on possession based keying. USB requires you to have something to start the car just as a key did. Now while security might be increased, possession is still required and reliability is probably decreased.

I prefer knowledge based keying.

The distinct advantages:
-> You can't loose the key. You could forget it
      but that is easy and cost free to "back-up"
      your key code. That means no more griping in
      the morning "Where are my damn keys?"
-> No cost for "copying" the key. Everyone in
      your household could have the key without any
      extra expense.
-> Improved security over tumbler lock keying
      since all you have to do is break the
      mechanism or "hot wire it"
-> It would be easy to implement special access
      keys. For instance keys that expire if
      you want to lend the car to someone without
      giving them your key. Key that have time
      access restrictions for such things as
      teenagers.
-> Trivial and cost free to change the key if
      you feel it has been comprimised.

I for one frown on this USB key for some of the reliability reasons previously stated and also that I would not be allowed to bring the key into work since I work for a defense contractor.

Durability is more than physical toughness.

[leshert]

Given the ratio of usb-drives-I've-owned to usb-drives-I've-killed-presumably-from-ESD (which currently sits at 1:1), I'd be more worried about non-physical threats to the integrity of the device.

Last time I zapped a usb drive, I drove home and burned a CD from the backup I'd made. That might be problematic in this case.

Smart Key

[alecks]

I just bought an '05 Toyota Avalon that has the "smart key" system, which is very simliar to what you're saying. Don't think it's RFID, but it works the same. i keep the keys in my pocket at all times, when i'm near the car, it knows it and allows me to unlock just by touching the handle. When i'm inside the car, i can start it with a push of a button.
I love it.

Re:Hot Wiring: No Match for a Thief

[TobyWong]

Real thieves don't hotwire anyhow. They back up the tow truck and tow the car away, engine imobilizer and all. In broad daylight even. You don't need to start it to chop it into pieces.

If they REALLY wanted to do it they could still "hotwire" the newer cars by bringing a seperate matching key/column computer and splicing it into the car but why bother with this hassle when you can just tow?

Re:great, another point of failure

Kind of reminds me of a Sekonda commercial (an inexpensive Russian watch which, despite what you might think, was actually fairly high quality) that ran in Britain during the early eighties.

They showed two watches, an expensive competitor, and a Sekonda, on the ground, and a large steamroller heading towards them both. The voice over was talking about the fact that "the watch on the right" matches {big list of features of} "the watch on the left". "So what's the real difference?"

The roller goes over, and you're supposed to expect the "watch on the right" to have survived or something indicating its unparalled strength. Nah. Both are smashed to bits. Voice over: "The watch on the left costs ten times as much as the watch on the right"

Re:Better than most.

[meloneg]

I prefer to go with the less-desirable-than-your-car approach.

That's why I drive a ten-year-old car with almost 200K miles on it. I frequently leave the windows open on a hot day, if I don't have anything valuable in the car.

Anybody desperate enough to steal it needs it more than I do. Its not even fast enough to attract joyriders.

But, it does it get me around just fine. And, I bought it outright for about 3 monthly new car payments.

Re:great, another point of failure

Slightly off topic, but it has to do with running things over cars, so what the hell.

At work a few weeks ago we had an old hard drive with data we needed to get rid of. So old that the connectors to it weren't even in production anymore and there's no modern equipment it could hook up to... One of those old 5.25 inch hard drives. The thing was a freakin tank! We ran it over with my Tahoe in some pretty destructive positions, threw it against concrete, smashed it with sledgehammers, the damn thing wouldn't break. We finally broke it open after about 15 minutes of sledgehammering/throwing against the pavement. It'd be nice if new hard drives were this tough. :P

Re:Better than most.

[lostchicken]

On the Lexus (at least on my IS), while there are only a few mechanical keys that are in circulation, each key needs a radio transponder in it that's interrogated to start the car. The ID is specific to the key, but you can tell the car (through a bizarre song and dance involving turning the key a couple of times and pumping the accelerator) to allow a new key to pair with the car.

So, you can add a key to the car, but you need at least one key to get the thing in the programming mode. They don't store that code anywhere, so if you lose all four keys it came with, you have to buy a new ECU. Really, really expensive. Also hard to steal.

Re:Security?

[ZakMcCracken]

Public key cryptographic security would probably be overkill for a simple one-to-one transaction like this one.

What is likely to have been engineered, rather, is that a short secret (~128 bits) has been stored on the key and on the car, both with physical security (as in a smartcard). Then, the car can authenticate the key using a simple challenge / response protocol based on secret key cryptography.

The short secret itself is probably generated from a master secret, a key derivation algorithm and the car's serial number.

Wrong.

[Poromenos1]

Yeah, I had that idea too. Read this. I was surprised that noone had thought of it. I recently read "Applied Cryptography" (an excellent book) and it had the exact same thing as an authentication protocol, and below it it said "It is foolish to encrypt arbitrary stringsnot only those sent by untrusted third parties, but under any circumstances at all". So much for my bright idea.

The solution he proposes is that "Alice makes some computation based on the random numbers (both the ones she generated and the one she received from the host) and her private key, and sends the result to the host. The host does some computation on the various numbers received from Alice and her public key to verify that she knows her private key".

There you have it, my brilliant idea foiled by chosen plaintext attacks.

Re:Security?

[owlstead]

Yep, that would work. As long as the keys are safe, you wouldn't want anyone be able to copy the keys. Besides stealing the car, their would be no prove that someone did not have access granted or not (fraud).

The protocol is not that much of an issue (as long as it is chosen with care). The other practical considerations are much more important. Even RSA processors are not that expensive anymore, but I agree that it would be overkill for this kind of "problem".

So now if YOu want to make a copy of your key

[Cyberllama]

You just dump the contents to your hard drive and copy it to a new USB flashdrive . . . No more trips to the hardware store.

Re:Hot Wiring: No Match for a Thief

[Cyberax]

There is a device called 'squid' (direct translation from Russian, I don't know how it's called in English), it's a little black box with lots of wires with clamps. It can control ignition and injectors without any help from car's electronics.

This device is used in service centers and by car hijackers :)